8
| Hospitality Today | Summer 2017
Also, customers’ payment card details can be received from many sources, such as third party booking systems, point of sale systems, through the hotel website, email, fax and telephone. All of which makes hotels an attractive target for cyber criminals, and are particularly susceptible when systems fail. To ensure compliance with the GDPR, hotel businesses will need to take action now to safeguard customers’ data records, which will frequently require a significant overhaul of current operations.
Under the GDPR, businesses are required to report a personal data breach to the supervisory authority within 72 hours. Where a personal data breach is likely to result in a high risk to the individuals affected, such as where customers’ credit card details have been stolen, the business must communicate the breach to those individuals without undue delay. The communication must describe in clear and plain language, the nature of the breach. The most serious of breaches can incur fines of up to 4 % of a company’ s global annual turnover or € 20 million( whichever is greater), not to mention the bad publicity arising from any data breach, and affected individuals may also bring claims for compensation.
Practical steps to take now
The penalties for not complying are severe along with the potential loss of reputation within the hospitality sector. However, this loss can be easily avoided if hospitality businesses start the GDPR compliance process now by taking the following steps:
make the GDPR reforms known to the highest level of decision makers;
carry out an audit of what personal data is held, where it came from, where to find it and who it is shared with;
eview current privacy notices / policies and identify those areas which will require updating to ensure compliance with the GDPR;
review and update current procedures for handling subject access requests and deletion request;
review the methods for seeking, obtaining and recording consent for marketing purposes to ensure compliance with the GDPR;